ADS DM Client Can Not Connect to Samba

John H Terpstra jht at samba.org
Fri Oct 1 02:26:48 GMT 2004


Doug,

Thanks for the feedback. I'll summarize to this list my findings late 
tomorrow. I tried samba-3.0.6, 3.0.7, 3.0.8pre1, 3.1.0SVN - all failed to 
permit a Windows XPPro and Windows 2000Pro clients of an ADS domain to 
connect to a Samba server that is an ADS domain member. I tried this with 
Win2000 ADS as well as with Win2003 ADS. In all cases, when the client does a 
SessionSetupX using kerberos credentials the samba server reply causes the 
client to drop the connection. The client tries 3 times before giving up. It 
then presents the user with a logon box. No valid username/password pair will 
permit Samba server access.

Before reporting details I will verify on a newly installed environment.

 - John T.

On Thursday 30 September 2004 16:19, Doug VanLeuven wrote:
> John H Terpstra wrote:
> >Jeremy/Folks,
> >
> >Can anyone decode what the cause of the following level 10 log fragment
> >might be?
> >
> >[2004/09/30 12:18:14, 3]
> >libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
> >  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error
> >Decrypt integrity check failed
>
> If one chases down KRB5KRB_AP_ERR_BAD_INTEGRITY in the kerberos lists,
> and check the krb5-1.3.4 code of a program like kinit, one ends up
> believing this is the krb5 way of saying incorrect password.
>
> For example, check lines 835-836 of kinit.c
>         else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
>             fprintf(stderr, "%s: Password incorrect while %s\n", progname,
>
> add to this that if multiple service principle entries exist in
> /etc/krb5.keytab with the same enctype only the first matching kvno and
> enctype will be used.
>
> There seems to be a consensus that this started with 2003 ADS and spread
> to 2000 server ADS.
>
> I have 2 machines out of 5 that hasn't generated this error in several
> days.  3 others do.  Otherwise my 5 Samba 3.0.8pre1-SVN-build-2605 seem
> to be identically configured in global configs.
>
> Regards, Doug

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.


More information about the samba-technical mailing list